Results from NERC’s recent supply chain effectiveness survey show that the organization’s Critical Infrastructure Protection (CIP) reliability standards are having a positive impact on the industry, staff said Tuesday.
However, more work remains to clear up misunderstandings about their requirements and applicability.
NERC conducted the survey between Oct. 12 and Nov. 30 last year, after the Board of Trustees requested an update on the effectiveness of the supply chain risk management (SCRM) standards:
- CIP-013-1 (Supply chain risk management);
- CIP-005-6 (Cybersecurity — electronic security perimeter(s)), parts 2.4 and 2.5; and
- CIP-010-3 (Cybersecurity — configuration change management and vulnerability assessments), part 1.6.
All three standards took effect Oct. 1, 2020, following their approval by FERC two years prior. (See FERC Finalizes Supply Chain Standards.) Since then the commission has approved their replacements, CIP-013-2, CIP-005-7 and CIP-010-4, which will take effect on Oct. 1. (See FERC OKs Updated Supply Chain Standards.)
The voluntary survey was sent to “approximately 900 compliance contacts at registered entities,” with 201 responding. Eleven surveys were handed back without selecting any answers from the multiple-choice component or providing any comments. Of those that did fill out the survey, 114 said the SCRM standards were applicable to them, while 76 said they were not.
Presenting the survey results at Tuesday’s meeting of NERC’s Reliability and Security Technical Committee, Tony Eddleman, director of NERC reliability compliance at the Nebraska Public Power District and chair of NERC’s Supply Chain Working Group, highlighted responses that indicate registered entities are going beyond the letter of the relevant standards.
In particular, he noted that 24 of the 76 entities that said the SCRM standards did not apply to them — nearly a third — said they are “applying the SCRM principles … to [their] operational, business and/or contract language.” In addition, more than half of those that said the standards do apply to them said they are applying SCRM principles to systems that are not in their scope, such as low-impact bulk electric system cyber systems, which are not covered in the current or upcoming versions of the standards.
“What they told [is] that the standards are a good basis to determine what is needed if the entity wants to have a formal program,” Eddleman said. “So the standards are relatively new, and some entities don’t have compliance requirements, but they are using these to help develop programs.”
Not All Entities Clear on Requirements
While the willingness of entities to go beyond the minimum required by the supply chain standards is promising, the survey also brought to light some potential problems with the standards. For example, even though more than 60% of respondents said they felt the standards’ requirements are clear, they still said they had “questions about compliance evidence,” indicating that they were not sure how auditors might assess their compliance. Additionally, more than 40% of respondents indicated they did not have “a clear understanding of what constitutes a violation” of the standards.
Another finding that raised eyebrows at NERC was that while entities reported dedicating about 22% of their CIP compliance program resources on average to SCRM issues, those compliance programs themselves have only grown about 9% since the introduction of the standards. This indicates to NERC that rather than hire new staff specifically for supply chain compliance, utilities have tended to simply assign employees who normally handle other CIP issues to the SCRM beat. Eddleman expressed concern that this approach might put excessive burdens on already-stretched security professionals.
“One of the quotes that we saw … kind of summed up several of the comments we received … and it said, ‘We all cringe when we know we have to make a purchase,’” Eddleman said. “Supply chain risk management is requiring significant resources … and it’s stealing resources from other CIP programs, [which] is not just a resource strain on utilities, it’s also on vendors.”